Primary

Context

Lunary Stored Cross-Site Scripting Vulnerability in SAML IdP Metadata

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Lunary versions 1.6.7 and earlier. This issue allows an attacker to inject malicious JavaScript into the SAML Identity Provider XML metadata. The injected script is executed when the SAML login redirect URL is generated, as it is assigned to 'window.location.href' without adequate validation or sanitization. This vulnerability could be exploited to execute arbitrary JavaScript in the user's browser, potentially leading to session hijacking, data theft, or other malicious activities.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user's browser.

Remediation

Users can upgrade to Lunary version 1.7.10 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

4.4

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

4.4

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Lunary Stored Cross-Site Scripting Vulnerability in SAML IdP Metadata

Vulnerability

Impact

Remediation

Affected Products

lunary-ai/lunary

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating